CyberheistNews Vol 15 #34 [Watch Out] That Urgent Payroll Update Alert? It's a Phishing Attack

[Watch Out] That Urgent Payroll Update Alert? It's a Phishing Attack

Phishing attacks impersonating HR are on the rise. Between January 1 – March 31, 2025, our Threat Lab team observed a 120% surge in these attacks reported via our PhishER product versus the previous three months. These attacks have remained at elevated levels since peaking in February.

FYI in our previous post, we explored the reasons that makes these attacks so effective. Now, we'll look at the trends and specific campaigns behind the numbers.

Our analysis reveals four key trends in HR impersonation attacks for 2025:

• Seasonal Alignment: Attacks are strategically timed to coincide with administrative and financial cycles, often creating a sense of urgency through time-sensitive deadlines to socially engineer their targets.
• Increase in Volume and Sophistication: HR-themed attacks are rapidly increasing in both volume and complexity, with attackers investing in specialized social engineering.
• Advanced, Sector-Specific Targeting: Cybercriminals show evidence of extensive reconnaissance, tailoring lures to specific industries like manufacturing (safety messages), healthcare (HIPAA) and finance (regulatory updates).
• Obfuscation tactics to evade secure email gateways (SEGs): Campaigns use multiple tactics to evade SEGs, including disguised payloads and hijacked infrastructure from legitimate services.

[CONTINUED] With examples, screenshots, and links!
https://blog.knowbe4.com/that-urgent-payroll-update-email-is-a-trap-a-look-at-the-latest-hr-phishing-tactics

[FREE Resource Kit] The Cybersecurity Awareness Month Kit for 2025 is Now Available

Cybersecurity Awareness Month is around the corner, and we've got your back!

It's dangerous out there, so you shouldn't go it alone. Take your users on an 8-bit journey across four levels of cyber sleuthing with our 80s arcade themed Cybersecurity Awareness Month resource kit! We've set you up with enough free training content to run a whole theme campaign throughout October.

This year, each themed week represents a new level for your users to explore. Along the way they'll encounter baddies bursting out of the arcade cabinet representing the key cyber threats for each week.

Here is what you'll get:

• Access to a curated collection of security awareness training videos and interactive modules straight from KnowBe4's award-winning training library
• Resources to help you plan your activities, including your Cybersecurity Awareness Month User Guide and Cybersecurity Awareness Weekly Planner
• NEW! Four "Arcade Villain" character cards/posters, plus additional posters and digital signage assets available in multiple languages
• Free resources for you including our most popular on-demand webinar and whitepaper

This kit will help you and your users fight cybercrime this October and beyond!

Get Your Kit Now:
https://info.knowbe4.com/cyber-security-awareness-kit-chn

North Korean Threat Actor Delivers Ransomware Via Phishing Emails

The North Korean threat actor ScarCruft has incorporated ransomware into its arsenal, according to researchers at South Korean security firm S2W.

ScarCruft is known for conducting espionage operations, but North Korean state-sponsored groups often conduct financially motivated attacks to generate revenue for Pyongyang.

"The deployment of ransomware, traditionally uncommon in ScarCruft campaigns, represents a notable deviation from the group's historical focus on espionage," the researchers write. "This suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics."

The researchers observed the threat actor deploying ransomware in a campaign targeting South Koreans last month. The attackers sent phishing emails disguised as postal-code updates regarding changes in street addresses. The emails contained malicious LNK files embedded in RAR archives, which were designed to deliver a variety of different malware strains.

"Upon execution, the LNK dropped an AutoIt loader, which then fetched and executed additional payloads including a stealer, ransomware, and backdoor from an external server," S2W says. "Among the nine distinct malware samples identified in this campaign, the following are the most notable: NubSpy, LightPeek, TxPyLoader, FadeStealer, VCD Ransomware, and CHILLYCHINO, among others."

The threat actor has also ported its malware to new programming languages in order to expand targeting and evade detection.

"Existing malware, as well as publicly available code, has been ported to alternative programming languages for reuse," the researchers write.

"Similar to the group's prior use of Go-based malware like AblyGo, this campaign features malware written in Rust, suggesting a pattern of using modern languages for enhanced versatility and detection evasion. These efforts indicate ScarCruft's ongoing focus on detection evasion and tooling."

AI-powered security awareness training gives your organization an essential layer of defense against phishing attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/north-korean-threat-actor-delivers-ransomware-via-phishing-emails

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training. This is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4's leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4' HRM+ platform:

• SmartRisk Agent™ - Generate actionable data and metrics to help you lower your organization's human risk score
• Template Generator Agent - Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent - Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent - Reinforce your security program and organizational policies.
• Enhanced Executive Reports - Track user activities, visualize trends, download widgets, and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization's risk while saving your team valuable time.

Date/Time: Thursday, September 11 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ksat-demo-3?partnerref=CHN

From Human Resources to Human Risk: Why HR is the Perfect Department for Cybercriminals to Impersonate

By Bex Bailey

We all trust HR—especially when we think they're emailing us!

Data from KnowBe4's HRM+ platform reveals that phishing simulations with internal subject lines dominate the list of most-clicked templates in 2025.

Out of the top 10 templates people interacted with between May 1 - June 30, 2025, an incredible 98.4% had subject lines relating to internal topics - with HR mentioned in 45.2%. (It was a similar story between January 1 - April 30 this year too.) Our data shows that people are most likely to interact with simulations that have subject lines about pay (such as updating tax forms), changes to the dress code, time off and performance reviews.

There's nothing hugely out of the ordinary in these templates: they're all fairly standard communications you could reasonably expect to receive from a HR department. They're also topics that people will be naturally curious about - which, unfortunately, is again fairly standard for emails from HR - and why it makes them a popular department for impersonation attacks by cybercriminals.

Why Do People Fall Victim to Phishing Emails Impersonating HR?

• Authority Bias
• Representativeness
• Social Proof

[CONTINUED] Learn more about this deadly trio in this blog post:
https://blog.knowbe4.com/from-human-resources-to-human-risk-why-hr-is-the-perfect-department-for-cybercriminals-to-impersonate

Top 3 Reasons to Attend KB4-CON EMEA 2025

Explore the world of human risk management, AI and adaptive defense strategies at our annual cybersecurity conference.

This year, we're taking attendees on an exciting journey with a line-up of expert speakers, comprehensive sessions, and diverse integration vendors. Join us on the 23rd of October in London and be part of the experience.

DISCOVER - Immerse yourself in over 15 informative sessions featuring the best in cybersecurity. Gain insights into the future of human risk management and AI whilst staying ahead of the latest industry trends.

GROW - Gain direct access to product experts, engage in the product-specific session with KnowBe4's VP of Product Strategy, and explore the future through product roadmaps.

CONNECT - Network with fellow cybersecurity professionals, industry pioneers, and thought leaders who are driving innovation across the field. Share challenges, exchange best practices and create valuable connections.

It gets better with our special offer: buy 2 tickets, get 1 free! Maximize your team's learning experience whilst keeping costs down.*

Register today for just £99 per ticket!

Save My Spot:
https://knowbe4.cventevents.com/RMXXd0?RefId=CHN+Email

P.S. Need help with approval? Download our travel justification letter to make your case, here.
*Terms and conditions apply

Three Data Points: "May You Live In Interesting Times"

• WSJ: "Losses from AI-generated CEO and other executive impersonations exceeded $200 million worldwide in the first quarter of the year."
• WSJ: "AI is driving a surge in CEO voice and video impersonation scams, with roughly one deepfake attack in the U.S. every five minutes."
• Social Engineers Are Now the Most Recruited Talent by Cybercrime Groups. Hmmm.

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [BUDGET AMMO] Inc Mag article by yours truly: "Employees Are Your Greatest Cybersecurity Asset":
https://www.inc.com/stu-sjouwerman/employees-are-your-greatest-cybersecurity-asset/91217213

PPS: [MOVING TARGETS] Researchers warn of an increase in ransomware attacks against Japanese companies:
https://blog.talosintelligence.com/ransomware_incidents_in_japan_during_the_first_half_of_2025/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-34-watch-out-that-urgent-payroll-update-alert-its-a-phishing-attack

Warning: Deepfake Investment Scams Target Social Media Users

Researchers at ESET warn that AI-assisted investment scams are flooding social media. Attackers are using deepfake videos impersonating banks, companies, or celebrities to trick users into handing over their banking credentials or sending money directly to the scammers.

"Investment scams have been the biggest money-maker for cybercriminals for several years, according to the FBI," ESET says. "At the last count, they made nearly $6.6 billion – and that's just from crimes reported to the Feds.

It dwarfs the $2.8 billion made from second-placed business email compromise (BEC). There are, of course, many tactics, techniques, and procedures (TTPs) associated with this type of fraud. But many start with malicious or misleading ads circulated on social media.

These are usually deployed as a lure to trick the victim into either handing over personal information or direct them straight to an investment scam."

ESET says these scams are particularly effective for the following reasons:

• "Times are tough for many of us, and the chance of some quick-and-easy financial wins appeals [to us].
• "Our attention spans are declining, especially on mobile devices, so warning signs may not be spotted in time.
• "Many of us aren't familiar with the latest threat TTPs, such as using deepfake videos, which makes us more vulnerable.
• "Many of these threats are localized, use legitimate (hijacked) accounts and can appear high up on search rankings.
• "Traditional anti-fraud mechanisms from banks don't often work if we are socially engineered over the phone to invest in a fraudulent scheme."

ESET has the story:
https://www.welivesecurity.com/en/scams/investors-beware-ai-powered-financial-scams-swamp-social-media/

Warning: Social Engineering is a Growing Threat to the Industrial Sector

Social engineering attacks are a growing threat to operational technology (OT) environments, Industrial Cyber reports.

Cyberattacks against these environments can be particularly damaging since they have the potential to cause physical disruptions.

"With the expanding IT/OT footprint, the attack surface is increasingly providing attackers additional opportunities to compromise targets by stealing credentials, impersonating trusted insiders, and moving laterally from one system to another inside the network," Industrial Cyber says.

"AI-driven phishing, voice cloning, and deepfake-enabled pretexting are lowering the barrier to entry, enabling cyber adversaries to deploy powerful tools that have the potential to erode the reliability of human judgment across critical infrastructure installations."

Paul Smith, Honeywell's director of operational technology cybersecurity engineering, warned of phishing campaigns targeting disgruntled employees after reduction-in-force (RIF) moves. "An interesting tactic that I have seen would be internal post-RIF announcements, a spoofed HR email sending out anonymous employee feedback surveys," Smith told Industrial Cyber.

"This exploits the vulnerable nature of the disgruntled employee who wants to be heard. Implementing email security gateways and AI threat detection to filter out email spoofing, lookalike domains, and malicious attachments would be a tooling recommendation.

Security awareness training is still paramount, as we are the last line of defense to mitigating 'click compromises.'"

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/warning-social-engineering-is-a-growing-threat-to-the-industrial-sector

1. Anthropic: Claude can now end conversations to prevent harmful uses:
   https://www.bleepingcomputer.com/news/artificial-intelligence/anthropic-claude-can-now-end-conversations-to-prevent-harmful-uses/
   
   
2. Microsoft: "Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app":
   https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
   
   
3. Perplexity's Comet AI browser tricked into buying fake items online:
   https://www.bleepingcomputer.com/news/security/perplexitys-comet-ai-browser-tricked-into-buying-fake-items-online/
   
   
4. FBI: "Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure":
   https://www.ic3.gov/PSA/2025/PSA250820
   
   
5. Scattered Spider Member Sentenced to 10 Years in String of Hacks:
   https://www.bloomberg.com/news/articles/2025-08-20/scattered-spider-member-sentenced-to-10-years-in-string-of-hacks?srnd=phx-technology
   
   
6. Fake Copyright Notices Drop New Noodlophile Stealer Variant:
   https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-stealer/
   
   
7. Lumma Infostealer affiliates use an AI-powered phishing page generator:
   https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate
   
   
8. Hackers who exposed North Korean government hacker explain why they did it:
   https://techcrunch.com/2025/08/21/hackers-who-exposed-north-korean-government-hacker-explain-why-they-did-it/
   
   
9. All Apple users should update after company patches zero-day vulnerability in all platforms:
   https://www.malwarebytes.com/blog/news/2025/08/all-apple-users-should-update-after-company-patches-zero-day-vulnerability-in-all-platforms
   
   
10. Scattered Spider chooses its targets based on "perceived profitability or ease of social engineering":
    https://www.flashpoint.io/blog/scattered-spider-threat-profile/
    
    

• Virtual Vaca #1 to Percé Rock and Bonaventure Island, Quebec, Canada [Amazing Places 4K]:
  https://youtu.be/f7WTlm-DELg
  
  
• Virtual Vaca #2 to The Serengeti - African Safari Travel Guide:
  https://youtu.be/DqmiZlhuAYg
  
  
• BONUS Virtual Vaca #3 Romania in 4K - Incredible Scenes & Hidden Gems:
  https://youtu.be/IK8EDXB5jVc
  
  
• [SUPER FAVE] Feline Express: A Purr-fect Miniature Subway for Cats:
  https://www.flixxy.com/feline-express-a-purr-fect-miniature-subway-for-cats.htm?utm_source=4
  
  
• New Wingsuit Flight from a Remote Stone Tower:
  https://youtu.be/09m14bJFaiU
  
  
• The New $1.8 Million Brabus 6X6 Revealed:
  https://youtu.be/vi2Pw1Mf4ME
  
  
• Atlas Fully Autonomous: Getting a Leg up with End-to-end Neural Networks:
  https://www.youtube.com/watch?v=HYwekersccY
  
  
• This humanoid robot dominated the track events at the 'robot Olympics':
  https://www.digitaltrends.com/computing/humanoid-robot-dominates-robot-olympics/
  
  
• Surfing with a Penguin | Surf's Up for Real:
  https://youtu.be/eBINbjikarc
  
  
• KOENIGSEGG Jesko Absolut | 0-400-0 km/h - NEW WORLD RECORD:
  https://youtu.be/nuBnP_GH_20
  
  
• Can any of these top golfers knock a clay pigeon out of the sky with a golf ball?:
  https://www.flixxy.com/clay-pigeon-golf-shot.htm?utm_source=4
  
  
• [CLASSIC] Air Race Pilot Peter Besenyei flying under the bridges of Budapest:
  https://www.youtube.com/watch?v=KOFsfMY7IPc&list=TLGGnAwuvTcUs2IxMjA4MjAyNQ
  
  
• For Da Kids #1 - Woman Finds A Weak One-Eyed Eagle And Brings Her Back To Life:
  https://youtu.be/hYF_ayXSzto
  
  
• For Da Kids #2 - 'Grandpa' cat gives up street life, decides to retire:
  https://youtu.be/9CXwEEa4h0Y
  
  
• For Da Kids #3- Family's New House Comes With A Bunch Of Ducks:
  https://youtu.be/-LkeceegE6Y
  
  
• For Da Kids #4 - Baby giraffe zoomies!:
  https://youtu.be/iEO6DQnnfnk
  
  
• For Da Kids #5 - The cutest way dolphins keep themselves entertained:
  https://youtu.be/nKpdl8E8edk